Add OAuth Authorization Code + PKCE grant flow for public clients #30329
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a heavy work in progress, but from what I can tell so far, it is fully backwards compatible with what we currently have in Mastodon 4.2.x and main. This will of course need a TONNE of test coverage and integration tests, which I'm still to have time to write.
This gives us a much better way to solve #30316 and #24871, as majority of OAuth Applications being registered at the moment are likely from public clients, such as web clients like Phanpy, Pinafore, and Semaphore, and mobile clients such as Ivory, Mastodon's official mobile apps, etc.
This PR would also pair nicely with #27948, since we'd want public clients to be able to regularly refresh their access tokens. I might rolling that into this PR, and then have more comprehensive tests for everything.
We would probably want to extend the Apps API with support for
software_id
andsoftware_version
to help with grouping applications together, which would be an additional two columns on the oauth_applications table.You do still need to use dynamic client registration since you need a
client_id
to interact with/oauth/authorize
, but this paves the way for in the future accepting eitherclient_id
of IRIs to a public identifier document, or for IndieAuth or FedCM.